How long does it take a potential vulnerability to turn into a confirmed vulnerability, even with cvss based score 8 +?
How long does it take a potential vulnerability to turn into a confirmed vulnerability, even with cvss based score 8 +?
From Severity Levels: "Potential Vulnerabilities include vulnerabilities that cannot be fully verified. In these cases, at least one necessary condition for the vulnerability is detected."
Qualys will always create vulnerability detections with type confirmed if it's possible with the information collected. Authenticated scans (and Cloud Agent) often collect more information than unauthenticated scans, and in these cases can sometimes detect a vulnerability as confirmed where an unauthenticated scan detects it as potential.
Qualys will update the detection logic if new information becomes available, and sometimes this results in a potential becoming confirmed. But as a general practice, potentials don't become confirmed over time, unless additional detection logic becomes available.
oh okay I see. I was always told to be advised over the potential vulnerabilities and I didn't know whether to make the admins aware of these potential vulnerabilities because they were severity level 5 and cvss base scores of 8 and higher and that what our department focuses on.
vness68 If you have scan returning Potentials, you will want to investigate your scan authentication parameters. When authenticated vulnerability assessment scans are run, the number of potential vulnerabilities can be significantly reduced.
Are your scans running with authentication?
Self-Paced Class: Scanning Strategies and Best Practices on Vimeo
Hi Debra,
A lot of them are Non-auth because they are departmental servers which we don't manage here but we hope to change this soon, we do have some authentication ones that we manage.
From Severity Levels: "Potential Vulnerabilities include vulnerabilities that cannot be fully verified. In these cases, at least one necessary condition for the vulnerability is detected."
Qualys will always create vulnerability detections with type confirmed if it's possible with the information collected. Authenticated scans (and Cloud Agent) often collect more information than unauthenticated scans, and in these cases can sometimes detect a vulnerability as confirmed where an unauthenticated scan detects it as potential.
Qualys will update the detection logic if new information becomes available, and sometimes this results in a potential becoming confirmed. But as a general practice, potentials don't become confirmed over time, unless additional detection logic becomes available.